phpmaster | Uploading Files with PHP

PHP file upload: build a safe and reliable upload system

Online album pictures, email attachments, and batch processing application data files have one thing in common: they all need to upload files to the Internet through the user's web browser. The file upload feature is an important part of many websites and web applications that are used every day. This article will show you how to add file upload support to your website using PHP.

Key Points

• Adding file upload support in PHP requires creating an HTML form for users and a PHP script for processing files uploaded on the server. The <form></form> element must use the POST method and set the enctype property to multipart/form-data.
• The uploaded files are first stored in a temporary directory. The PHP script responsible for handling form submissions validates the file and processes it, usually moving it from a temporary location to a more permanent location.
• Information about file uploads is provided through multi-dimensional arrays $_FILES. The move_uploaded_file() function moves the uploaded file from a temporary location to a permanent location and performs additional checks to make sure the file is indeed uploaded via HTTP POST request.
• There is a security risk for file uploads. To mitigate these risks, you can verify the type of uploaded files, impose strict restrictions on upload traffic, and scan for viruses. It is also important to ensure a secure file name by replacing any characters that are not letters, numbers, or a very limited set of punctuation marks with an underscore.

Prerequisites

Processing file upload is not difficult, but there are some small details that must be correct, otherwise the upload will fail. First, you need to make sure that PHP is configured to allow uploads. Check your php.ini file and verify that the file_uploads directive is set to On.

<code>file_uploads = On</code>

Uploaded files are first stored in a temporary directory (don't worry... your PHP script can then move files to a more permanent location afterward). By default, the initial location is the system's default temporary directory. You can specify different directories using the upload_tmp_dir directive in php.ini. In any case, you should verify that the PHP process has the appropriate permissions to write to the directory you are using.

<code>upload_tmp_dir = "/tmp"

tboronczyk@zarkov:~$ ls -l / | grep tmp
drwxrwxrwt  13 root root 40960 2011-08-31 00:50 tmp</code>

After confirming that the configuration allows the server to accept uploaded files, you can focus on HTML details. Like most other server-side interactions from HTML, uploading files uses forms. It is very important that your <form></form> element must use the POST method and set the enctype property to multipart/form-data.

Writing an upload process script

According to your own experience and the requirements mentioned just now, you may have guessed the process of file uploading.

• Visitors view HTML pages that contain forms specifically used to support file uploads.
• The visitor provides the file he wants to upload and submits the form.
• The browser encodes the file and sends it as part of a POST request issued to the server.
• PHP receives form submissions, decodes the file and saves it in a temporary location on the server.
• Responsible for handling the PHP script validation file for the form submission and processing it somehow, usually moving it from a temporary location to a more permanent location.

Adding file upload support requires you to create an HTML form to be presented to the user and a PHP script to handle files uploaded on the server.

HTML

HTML form provides the interface for user to initiate file upload. Remember that the method attribute of the <input> element must be set to post and the enctype attribute must be set to multipart/form-data. A file <input> element provides a field that specifies the file to be uploaded. Like any other form element, it is important to provide the name attribute so that you can reference it in a PHP script that processes the form. Here is an example of marking for a basic file upload form:

<code>file_uploads = On</code>

It is worth noting that different browsers will render file fields in different ways. IE, Firefox, and Opera display it as text fields with buttons marked Browse or Select next to them. Safari renders it as a button marked only as Select File. This is usually not a problem because the user is used to how the field is rendered in the browser of its choice and knows how to use it. However, sometimes you encounter clients or designers who insist on presenting it in some way. Due to security reasons imposed by the browser, the number of CSS and JavaScript that can be applied to file fields is very limited. Styled file fields can be difficult. If the appearance is important to you, I suggest you check out Peter-Paul Koch's Styled input type="file".

PHP

Information about file uploads is provided through multi-dimensional arrays $_FILES. This array is indexed by the name assigned to the file fields in the HTML form, just like $_GET and $_POST indexed by name. Then, the array of each file contains the following index:

• $_FILES["myFile"]["name"] Stores the original file name from the client.
• $_FILES["myFile"]["type"] The MIME type that stores the file.
• $_FILES["myFile"]["size"] Size of the file in bytes.
• $_FILES["myFile"]["tmp_name"] The name of the temporary file is stored.
• $_FILES["myFile"]["error"] Store any error codes generated during transfer.

The

move_uploaded_file() function moves the uploaded file from a temporary location to a permanent location. You should always use functions like move_uploaded_file() instead of copy() and rename() for this purpose, as it performs additional checks to make sure the file is indeed uploaded via HTTP POST request. If you plan to save files with the original file name provided by the user, it is best to make sure that this is safe. The file name should not contain any characters that may affect the destination path, such as slashes. Nor should the name cause the file to overwrite existing files with the same name (unless your application design does that). I ensure a safe file name by replacing any non-letter, number or a very limited set of punctuation characters with an underscore, and then appending incremented numbers when the file with the same name already exists. Here is an example of receiving and processing PHP file uploads:

<code>file_uploads = On</code>

This code first ensures that there are no errors in uploading the file. It then determines the secure file name (as I just mentioned) and uses move_uploaded_file() to move the file to its final directory. Finally, call chmod() to ensure reasonable access is set on the new file.

Safety Precautions

Most of us won't let a total stranger store random files on our PC, but when you allow files to be uploaded in our app, you're actually doing it. You may be planning to have the user upload his own photos as a profile page, but what if he tries to upload a specially made, virus-containing executable file? I want to share some steps you can take to minimize the inherent security risks of allowing file uploads. One of the steps is to verify that the uploaded file is correct. Depend on the value of $_FILES["myFile"]["type"] or extension of the file name is not safe, because both are prone to forgery. Instead, use a function like exif_imagetype() to check the contents of the file and determine if it is indeed GIF, JPEG, or several other supported image formats. If exif_imagetype() is not available (the function requires the Exif extension to be enabled), then getimagesize() can be used. getimagesize() The returned array will contain the image type (if recognized).

<code>upload_tmp_dir = "/tmp"

tboronczyk@zarkov:~$ ls -l / | grep tmp
drwxrwxrwt  13 root root 40960 2011-08-31 00:50 tmp</code>

For non-image files, you can use exec() to call the unix file utility. file determines the type of the file by looking for known binary signatures in the expected location.

<code>file_uploads = On</code>

Another step you can take is to impose a strict limit on the total size of the POST request and the number of files that can be uploaded. To do this, specify appropriate values ​​for the upload_max_size, post_max_size, and max_file_uploads directives in php.ini. The upload_max_size directive specifies the maximum size for file uploads. In addition to uploaded size, you can also use the post_max_size directive to limit the size of the entire POST request. max_file_uploads is a newer directive (added in version 5.2.12) that limits the number of file uploads. These three instructions help protect your website from attacks that attempt to undermine its availability by causing a lot of network traffic or system load.

<code>upload_tmp_dir = "/tmp"

tboronczyk@zarkov:~$ ls -l / | grep tmp
drwxrwxrwt  13 root root 40960 2011-08-31 00:50 tmp</code>

The third step you can take is to use the virus scanner to scan the uploaded files. This is crucial in today’s era of widespread viruses and malware, especially when your website allows other individuals to download uploaded files later, such as attachments in web-based email clients or (legal) file sharing sites. There is a PHP extension that can access ClamAV, but, of course, you can call ClamAV's command-line utility like I demonstrated for file.

Summary

You have learned how easy it is to use your website or web-based application to support file uploads. For uploading to be successful, the HTML form must be submitted via a multipart/form-data-encoded POST request, and PHP must allow transfers specified using the file_uploads directive. After the file is transferred, the script responsible for handling the upload moves the file from the temporary directory to the desired location using the information found in the $_FILES array. I also share some additional precautions that you can take to protect yourself and your users from some of the risks associated with allowing file uploads. You see how to ensure file names are secure, verify file types, impose strict restrictions on upload traffic, and scan for viruses.

(Such content, such as the FAQ section, can be added as needed)

The above is the detailed content of phpmaster | Uploading Files with PHP. For more information, please follow other related articles on the PHP Chinese website!